From 72381a58107fe422b494dbe50e426c868bc8e06d Mon Sep 17 00:00:00 2001
From: Vraj Mohan <vraj@codeforamerica.org>
Date: Thu, 14 Sep 2023 07:04:04 -0700
Subject: [PATCH 1/3] Document the trusted port for callbacks and docs

---
 docs/adrs/0002-public-endpoints.md | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 docs/adrs/0002-public-endpoints.md

diff --git a/docs/adrs/0002-public-endpoints.md b/docs/adrs/0002-public-endpoints.md
new file mode 100644
index 0000000..8d53a05
--- /dev/null
+++ b/docs/adrs/0002-public-endpoints.md
@@ -0,0 +1,29 @@
+# Public endpoints for callbacks and docs
+
+Date: 2023-09-14
+
+## Status
+
+Accepted
+
+## Context
+
+To prevent misuse, access to the API has been restricted using Aptible IP filtering. This does not work
+for callbacks from providers as the IPs may change for Twilio and Mailgun. Also, it is desirable
+to have the API docs be publicly available without restriction.
+
+Callback endpoints are secured using signature verification with a shared secret from the provider.
+
+Note: CfA has purchased Twilio Security Edition that supports a static list of IPs from which callbacks originate. As we had already implemented
+signature verification, we have not availed ourselves of this feature. We do not have a similar facility with Mailgun.
+
+## Decision
+
+We will listen on a separate port for callbacks and docs. This will not be secured with IP filtering.
+The specific port can be chosen using the configuration variable `server.trustedPort`. The callbacks and docs will be
+made available under the path `/public/`.
+
+## Consequences
+
+Aptible supports at most one default endpoint per app. Additional endpoints will need custom domains.
+For our staging environment, we have created a custom domain named https://staging.messaging.cfa-platforms.org/ using the AWS Route 53 service.

From a71565e9f79f86033c97cf4086315101ed5b7c7c Mon Sep 17 00:00:00 2001
From: Martha Pidcock <122047394+mpidcock@users.noreply.github.com>
Date: Thu, 14 Sep 2023 21:41:29 +0000
Subject: [PATCH 2/3] Add a table to show the application ports

---
 docs/adrs/0002-public-endpoints.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/docs/adrs/0002-public-endpoints.md b/docs/adrs/0002-public-endpoints.md
index 8d53a05..cccf73f 100644
--- a/docs/adrs/0002-public-endpoints.md
+++ b/docs/adrs/0002-public-endpoints.md
@@ -23,6 +23,12 @@ We will listen on a separate port for callbacks and docs. This will not be secur
 The specific port can be chosen using the configuration variable `server.trustedPort`. The callbacks and docs will be
 made available under the path `/public/`.
 
+| Port | Use | Security | Path |
+|-|-|-|-|
+| 8080 | Messaging API | IP Filtering & BasicAuth shared password | https://app-54372.on-aptible.com |
+| [8086](/src/main/resources/application.properties) | Messaging Provider Callbacks & API Documentation | Public w/ Provider Signature varification | https://staging.messaging.cfa-platforms.org/public |
+
+
 ## Consequences
 
 Aptible supports at most one default endpoint per app. Additional endpoints will need custom domains.

From a2b069e08239701616b961a068852f6d2536a7a7 Mon Sep 17 00:00:00 2001
From: Martha Pidcock <122047394+mpidcock@users.noreply.github.com>
Date: Fri, 15 Sep 2023 14:48:35 -0700
Subject: [PATCH 3/3] Update 0002-public-endpoints.md

---
 docs/adrs/0002-public-endpoints.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/docs/adrs/0002-public-endpoints.md b/docs/adrs/0002-public-endpoints.md
index cccf73f..d6689f2 100644
--- a/docs/adrs/0002-public-endpoints.md
+++ b/docs/adrs/0002-public-endpoints.md
@@ -23,10 +23,10 @@ We will listen on a separate port for callbacks and docs. This will not be secur
 The specific port can be chosen using the configuration variable `server.trustedPort`. The callbacks and docs will be
 made available under the path `/public/`.
 
-| Port | Use | Security | Path |
-|-|-|-|-|
-| 8080 | Messaging API | IP Filtering & BasicAuth shared password | https://app-54372.on-aptible.com |
-| [8086](/src/main/resources/application.properties) | Messaging Provider Callbacks & API Documentation | Public w/ Provider Signature varification | https://staging.messaging.cfa-platforms.org/public |
+| Port Use | Security |
+|-|-|
+| Messaging API | IP Filtering & BasicAuth shared password |
+| Messaging Provider Callbacks & API Documentation | Public w/ Provider Signature varification | 
 
 
 ## Consequences